Category Archives: product management

What should a printer print?

Posted on by

Over at their blog, i.Materialise (a 3D printing shop) brags about not taking an order. The post is “ATTENTION: ATM skimming device.” It opens:

There is no doubt that 3D printing is a versatile tool for materializing your 3D ideas. Unfortunately, those who wish to break the law can also try to use our technology. We recently received an order which bore a strong resemblance to an ATM skimming device. Basically, the customer placed a 3D print order for a device similar to the one below which is inserted in an ATM machine.

The plastic part can be attached to an ATM machine and with the appropriate hardware and tapped keyboard can scan cards and get personal data. In most cases, such a device does not prevent the cardholder from withdrawing funds from their account, but as their card has been scanned, it can later be reproduced and funds can be stolen from their account.

Fortunately, our engineers were quick to react, and after communication with the customer, the decision was made to decline the order. We do not support criminal activity and will do everything in our power to prevent possible crimes.

The choice that i.Materialise has made is their business. And I appreciate the impulse to protect people from the potentially negative side effects of their awesome business. At the same time, I think it’s a thought provoking and questionable decision for a whole slew of reasons:

  • There are legitimate uses for an ATM skimmer part. For example, as a security expert, I might want such a thing to wave around at conferences. Bank employees might want some for training people on what to look out for. (This is somewhat mitigated by their reaching out, but do I want a business that makes judgement calls about what I print? Maybe I’ll take my adult toy business elsewhere, rather than thinking about what it means for their engineers to be “quick to react.”)
  • The public needs to start to understand that physical objects like this are coming. As 3D printing becomes common, many things will become easier to spoof and fake. Caveat emptor will return. I expect we’ll see a race between high and low volume manufacturers where the high volume folks will specialize in things that are hard to make at home, perhaps using things translucent plastics, toxic ingredients and/or aluminum and titanium, both of which require high temperatures.
  • The banking industry needs to understand that skimmers are getting insanely realistic, and they would be fools to rely on the good graces of 3d printing firms. Skimmers are already so realistic that they’re being installed on in-bank ATMs. Banks are going to need to figure out what to do about that. I figure they can go seamless curvy metal, settle on a single card slot design and roll it out, or start hiring mural painters to customize each ATM machine. Banks will also find it increasingly expensive to stay with magstripe + PIN.
  • This may set a precedent for i.Materialize to not be a “common printer” but a co-conspirator in production. (I believe the company is in Belgium, so their mileage will vary.) In the US, we have a concept of a common carrier, that is, one that will take all customers who can pay. You can choose to discriminate, but if you do, you’re answerable for it. If i.Materialise produces a part that’s used in a future crime, they’ve set a precedent that their engineers should have prevented it. I certainly wouldn’t want to have to answer in court for the statement that we’d “do everything in our power to prevent possible crimes.”

But, it’s their business, and their choice to make. It’s important to understand that 3D printing is getting faster, cheaper and more exciting every year, and that’s going to lead to a lot of chaos emerging.

I’m not aware of anything that makes it unlikely that there will be commercial, inexpensive home 3d printers in 5-10 years. Many of those will be based on open source software like RepRap, just as many inexpensive home routers either ship with or advertise support for dd-wrt. Those home devices will print ATM skimmer covers because it will be easy to remove code that tries to censor what can be printed. They’ll also print bomb parts, “drug paraphernalia,” and print-at-home Star Wars toys. Sorry, Kenner! And Pottery Barn, your days of selling glazed clay may be coming to an end. Later on, we’ll be able to print with easily worked metals like copper, silver or zinc, and those patented cables will be conspicuous consumption.

What’s happening to music and books will happen to physical things. The experience (the concert, the cruise with the band) becomes part of the artist’s revenue stream. Etsy will replace WalMart, because it will be cheaper to print plastics at home than to print them in China, ship them and warehouse them. And you’ll be able to buy plastic and clay that you know are BPA-free, or whatever the latest fad is. You’ll get your circuits or other harder things at shops like Metrix:Create Space. What you’ll pay for, and what Etsy is set up to deliver, is artistry and uniqueness.

Most of us in what’s left of the first world will be able to print the things we want, in the colors, designs and customizations we want. We’ll be better off for it. GDP will likely go down while our standard of living goes up.

Whichever way all this goes, lots of chaos is going to emerge, and we’re going to live in interesting times.

(Thanks to Boing Boing for catching the story.)

ID theft, its Aftermath and Debix AfterCare

Posted on by

In the past, I’ve been opposed to calling impersonation frauds “identity theft.” I’ve wondered why the term impersonation isn’t good enough. As anyone who’s read the ID Theft Resource Center’s ‘ID Theft Aftermath’ reports (2009 report) knows that a lot of the problem with longterm impersonation problems is the psychological impact of disassociation from your good name. It’s not just the financial costs of dealing with mistakes (although those are important), it’s the sense of dread in connecting to today’s society and the reputation infrastructures that have been overlaid onto our lives. It’s the fear of victims that they’re perceived as irrationally fearful, whingers or a burden.

And so I want to quote from a blog post from Debix:

It’s Bo here, CEO of Debix. Today, I’m excited to announce another industry first for Debix – a new feature of our OnCall Credit Monitoring™ product called AfterCare™.

The idea came directly from thousands of conversations with our concerned data breach consumers. The number one complaint we receive is about the gap between the “lifetime risk” the consumer perceives when told their identity is breached, and the 1-2 years of credit monitoring normally offered as a remedy.

We always do our best to explain why it is not feasible to provide 5, 10, 20 year or “lifetime” credit monitoring subscriptions, but none of reasons are very satisfying. It is hard for the consumer to feel good about a remedy where the protection expires quickly but the perceived risk lives on. (Original in Debix blog post.)

That’s why I find Debix’s offer of a lifetime of repair to be so exciting. It’s someone on your side through all of that.

In other news about identity theft, there’s an interesting story about the head of Interpol having his ID stolen via Facebook. In the past, I’d be very skeptical of such a claim, but a great many folks present themselves to the world on Facebook, and:

One of the impersonators used the fake profile to obtain information on fugitives targeted in a recent Interpol-led operation seeking on-the-run criminals convicted of serious offences, including rape and murder.

Identity is hard, and all sorts of interesting stuff emerges from that chaos. Today’s news about AfterCare™ is on the good and interesting side of that.

Dear AT&T

Posted on by

You never cease to amaze me with your specialness. You’ve defined a way to send MMS on a network you own, with message content you control, and there’s no way to see the full message:

IMG_0171.jpg

In particular, I can’t see the password that I need to see the message.

Databases or Arrests?

Posted on by

From Dan Froomkin, “FBI Lab’s Forensic Testing Backlog Traced To Controversial DNA Database,” we see this example of the mis-direction of key funds:

The pressure to feed results into a controversial, expansive DNA database has bogged down the FBI’s DNA lab so badly that there is now a two-year-and-growing backlog for forensic DNA testing needed to solve violent crimes and missing persons cases.

Civil libertarians call the database — which increasingly includes everyone convicted of every federal law, legally innocent people awaiting trial and non-citizens detained in the U.S. for any reason — unnecessary and unconstitutional.

And yet a review by the Department of Justice’s Inspector General released on Monday concludes that the need to analyze and upload some 96,973 or more DNA samples a year into that database is contributing to a backlog of forensic DNA cases that stood at 3,211 in March.

That translates into a delay of about 150 days to over 600 days for law enforcement agencies who need answers right away.

We need to defund the database and use that money for something more useful, like getting that 150 days down to 5 or 10 for active criminal cases.

Via Michael Froomkin, “FBI Prefers Building DNA Database to Solving Crimes

How not to address child ID theft

Posted on by

(San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these “dormant” numbers. Unfortunately, credit issuers do not currently have the ability to verify if a SSN belongs to an adult or a minor. If they knew that the SSN presented belonged to a minor they would automatically deny opening a credit account.

Years ago, the Identity Theft Resource Center envisioned a simple solution to this problem. It is called the Minors 17-10 Database and ITRC has been talking with various government entities and legislators about this concept since July 2005. (…)

The creation of a Minors 17-10 Database would provide credit issuers the tool to verify if the SSN provided belongs to a child. This proposed SSA record file would selectively extract the name, month of birth, year of birth, and SSN of every minor from birth to the age of 17 years and 10 months. This record file, maintained by SSA, would be provided monthly to approved credit reporting agencies. When a credit issuer calls about the creditworthiness of a SSN, if
the number is on the Minors 17-10 Database, they would be told that the SSN belongs to a minor.

That’s from a press release mailed out by the normally very good Identity Theft Resource Center. Unfortunately, this idea is totally and subtly broken.

Today, the credit agencies don’t get lists from the SSA. This is a good thing. There’s no authorization under law for them to do so. The fact that they’ve created an externality on young people is no reason to revise that law. The right fix is for them to fix their systems.

The right fix is for credit bureaus to delete any credit history from before someone turns 18. Birth dates could be confirmed by a drivers license, passport or birth certificate.

Here’s how it would work:

  1. Alice turns 18.
  2. Alice applies for credit and discovers she has a credit history
  3. Alice calls the big three credit agencies and gets a runaround explains she’s just turned 18, and apparently has credit from when she was 13.
  4. The credit agency asks for documents, just like they do today (see “when do I need to provide supporting docs”)
  5. The credit agency looks at the birthday they’ve been provided, and substracts 18 years from the year field.
  6. The credit agency removes the record from the report

It’s easy, and doesn’t require anything but a change in process by the credit bureaus. No wonder they haven’t done it, when they can convince privacy advocates that they should get lists of SSN/name/dob tuples from Uncle Sam.

A Blizzard of Real Privacy Stories

Posted on by

Over the last week, there’s been a set of entertaining stories around Blizzard’s World of Warcraft games and forums. First, “World of Warcraft maker to end anonymous forum logins,” in a bid to make the forums less vitriolic:

Mr Brand said that one Blizzard employee posted his real name on the forums, saying that there was no risk to users, and the experiment went drastically wrong. “Within five minutes, users had got hold of his telephone number, home address, photographs of him and a ton of other information,” said Mr Brand.

The customers apparently really liked their privacy, and “Blizzard backs off real-name forum mandate.” Which, you’d think, would end the uproar. But no. This morning, “Gamers Who Complained About Blizzard’s Forum Privacy See Email Addresses Leaked” by the Entertainment Software Rating Board. Interestingly, the ESRB Online Privacy Policy is one of the few that does not start “your privacy is important to us.” Who knew that line was important?

The key lesson is that your customers think about identity differently than you do, and trying to add it to a system is fraught with risk. (Don’t even get me started on the jargon “identity provider.”)

Between an Apple and a Hard Place

Posted on by

So the news is all over the web about Apple changing their privacy policy. For example, Consumerist says “Apple Knows Where Your Phone Is And Is Telling People:”

Apple updated its privacy policy today, with an important, and dare we say creepy new paragraph about location information. If you agree to the changes, (which you must do in order to download anything via the iTunes store) you agree to let Apple collect store and share “precise location data, including the real-time geographic location of your Apple computer or device.”

Apple says that the data is “collected anonymously in a form that does not personally identify you,” but for some reason we don’t find this very comforting at all. There appears to be no way to opt-out of this data collection without giving up the ability to download apps.

Now, speaking as someone who was about to buy a new iphone (once the servers stopped crashing), what worries me is that the new terms are going to be in the new license for new versions of iTunes and iPhones.

Today, it’s pretty easy to not click ok. But next week or next month, when Apple ships a security update, they’re going to require customers to make a choice: privacy or security. Apple doesn’t ship patches for the previous rev of anything but their OS. iTunes problem? Click ok to give up your privacy, or don’t, and give up your security.

Not a happy choice, being stuck between an Apple and a hard place.

Bleg: How to Delete Kindle Logs?

Posted on by

Well, Amazon has a new update for Kindle (with folders! OMG!), and I’m planning to apply it.

However, last time I installed an update, I noticed that it lost the “wireless off” setting, and was apparently contacting Amazon. I don’t want it to do so, and leave wireless off. It’s safer that way, whatever promises Amazon may make.

Does anyone know how to delete the logfile so that nothing gets uploaded?

Mobile Money for Haiti: a contest

Posted on by

This is cool:

The Bill & Melinda Gates Foundation is using its financial clout to push the Haitian marketplace toward change by offering $10 million in prizes to the first companies to help Haitians send and receive money with their cell phones…

The fund will offer cash awards to companies that initiate mobile financial services in Haiti. The first company to launch a mobile money service that meets certain criteria in the next six months will receive $2.5 million. The second operator to launch and reach these benchmarks within 12 months will receive $1.5 million. Another $6 million will be awarded as the first 5 million transactions take place, divided accordingly between those operators that contributed to the total number of transactions.

For more details, see the press release.

We’ll always have Facebook…

Posted on by